The information in this document is based on the software and hardware
versions below.

Cisco Secure ACS for Windows versions 2.5 and later

VPN 3000 Concentrator versions 2.5.2.C and later (This configuration
has been verified with version 4.0.x.)

The information presented in this document was created from devices in
a specific lab environment. All of the devices used in this document started
with a cleared (default) configuration. If you are working in a live network,
ensure that you understand the potential impact of any command before using
it.

Follow these steps to configure the VPN Concentrator to use Cisco
Secure ACS for Windows.

On the VPN 3000 Concentrator, go to Configuration >
System > Servers > Authentication Servers and add the Cisco
Secure ACS for Windows server and key ("cisco123" in this example).

In Cisco Secure ACS for Windows, add the VPN Concentrator to the
ACS server Network Configuration, and identify the dictionary
type.

In Cisco Secure ACS for Windows, go to Interface
Configuration > RADIUS (Microsoft) and check the Microsoft
Point-to-Point Encryption (MPPE) attributes so that the attributes appear in
the group interface.

In Cisco Secure ACS for Windows, add a user. In the user's group,
add the MPPE (Microsoft RADIUS) attributes, in case you require encryption at a
later time.

On the VPN 3000 Concentrator, go to Configuration >
System > Servers > Authentication Servers. Select an
authentication server from the list, and then select Test.
Test authentication from the VPN Concentrator to the Cisco Secure ACS for
Windows server by entering a username and password.

On a good authentication, the VPN Concentrator should show an
"Authentication Successful" message. Failures in Cisco Secure ACS for Windows
are logged in Reports and Activity > Failed Attempts. In a
default install, these reports are stored on disk in C:\Program
Files\CiscoSecure ACS v2.5\Logs\Failed Attempts.

Since you have now verified authentication from the PC to the VPN
Concentrator works and from the concentrator to the Cisco Secure ACS for
Windows server, you can reconfigure the VPN Concentrator to send PPTP users to
Cisco Secure ACS for Windows RADIUS by moving the Cisco Secure ACS for Windows
server to the top of the server list. To do this on the VPN Concentrator, go to
Configuration > System > Servers > Authentication
Servers.

Go to Configuration > User Management > Base
Group and select the PPTP/L2TP tab. In the VPN
Concentrator base group, ensure that the options for PAP and MSCHAPv1 are
enabled.

Select the General tab and ensure that PPTP is
permitted in the Tunneling Protocols section.

Test PPTP authentication with the user in the Cisco Secure ACS for
Windows RADIUS server. If this does not work, please see the
Debugging section.

If connections do not work, you can add PPTP and AUTH event classes to
the VPN Concentrator by going to Configuration > System > Events
> Classes > Modify. You can also add PPTPDBG, PPTPDECODE,
AUTHDBG, and AUTHDECODE event classes, but these options may provide too much
information.

Error 691: The computer you have dialed in to has denied access because
the username and/or password is invalid on the domain.

"MPPE Encryption Required" is selected on the concentrator, but
the Cisco Secure ACS for Windows server is not configured for MS-CHAP-MPPE-Keys
and MS-CHAP-MPPE-Types

VPN 3000 Concentrator debug output

If AUTHDECODE (1-13 Severity) and PPTP debug (1-9 Severity) are on,
the log shows that the Cisco Secure ACS for Windows server is not sending
vendor-specific attribute 26 (0x1A) in the access-accept from the server
(partial log).